HI dave, Yes I can send packet capture, debug logs and everything to you, do you want it all via private message here?

Looks like most of my suspicions are right going off everything you have just said.

Just sent you a private message with packet capture and debug files.

We really have the A - team on it now, both Dave & Bob😀

Are we any closer to bottoming this ?

Dave is waiting back on someone from BT, I have a managed switch that can do port mirroring so will do a packet capture this weekend of the Plusnet router authentication and we can see the differences.

I will be posting what the fix is here if we resolve the issue.

Please update the post if you manage to resolve this. im having the same issue with a PA 440 

@leighboy  interesting that you're the same. I presume it's working ok with a different router (Plusnet Hub?). Did you also upgrade from FTTC and it worked on FTTC before that?

@leighboy @witherford  to both on you, on FTTC what modem did you have for the VDSL service and have you done a reboot and/or factory reset on the Palo Alto since the switchover? It shouldn't need a reset but just checking for completeness while I'm waiting on feedback.

Hi Dave,

When I used FTTC I used one of the BT openreach modems, the PA-220 plugged into the LAN port on the modem and the VDSL port was then plugged into the master socket.

A reboot has been done of the PA-220 and a software upgrade all to no avail.

I did indeed upgrade from fttc and was using the Openreach modem before , no authentication protocol was used previously so i suspect the modem was doing that part. for reference, I do have a static external ip address also.

Edit - the hub works fine, in bridge mode it also fails to make a connection 

I have rebooted the FW . A factory reboot of the fw would be to much agro with the level of config on it.

Exact same as me just a PA-220 vs 440

@dave   interestingly  when i put a switch in between  the plusnet hub and the ONT and  use a span port to see the traffic flow in between I get nothing at all.

When I have the Palo alto and the ont offloading to the span port  in my packet  capture i can see.

ppp information 

challenge (code98) from: acc-aln3.ea-d
response (code67) my username with plusdsl.net
 followed by  (60) failure chap authentication failure

then active discovery terminate 

does fttp need to authenticate in a different way? different prefix to the end of the usernname maybe?

does fttp need to authenticate in a different way? different prefix to the end of the usernname maybe?

Nope! It's exactly the same. I've used at least three different routers on fttp all configured with the same pppoe credentials

interestingly  when i put a switch in between  the plusnet hub and the ONT and  use a span port to see the traffic flow in between I get nothing at all.

The Hub 2 does try to detect whether it has a wan or dsl connection, maybe it can't detect the wan through the switch. Can't see why  it shouldn't though ?

I have attached a packet capture of the Plusnet router performing the authentication through the ONT which is successful.

I have highlighted the packets which to me are of attention, after packet 15 we would normally get CHAP auth failure, but we don't instead we get a configuration request from the remote end and a further exchange of ACK's and config requests, before a challenge from what I presume is the plusnet end which is a JUNOS device (packet 20).

I have taken a look inside of the configuration requests and ack's and their is a negotiation of the MTU @ 1492 followed by the authentication negotiation which is CHAP with MD5, this applies to both sets of authentication.

Yes, that's about what you would expect.

Whatever your pa220 is sending back in response to the chap challenge isn't being accepted.

Since we can see the username and that's the same as the hub2 i assume?

So it's got to be the password it doesn't like. Problem is the pw is md5 hashed using the Id and magic value from the challenge so it's very difficult to check if its being sent correctly